Problem/Motivation

Using BASIC_AUTH as user-1

curl --verbose --request GET 'http://admin:admin@drupal.d8/node?_format=json'
curl --verbose --request GET 'http://admin:admin@drupal.d8/node?_format=hal_json'

HTTP/1.1 403 Forbidden

fails while

curl --verbose --request GET 'http://drupal.d8/node/1?_format=json'
curl --verbose --request GET 'http://drupal.d8/node/1?_format=hal_json'

According to #5 token is required for a basic auth requests for authenticated users only.

Note: similar report on rest export display but different solution in #2228141: Add authentication support to REST views

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

I'm running basic tests on Drupal 8's REST server... Doing simple GET on nodes...

basic auth doesnt work on a resource with cookie auth enabled. are they meant to be mutually exclusive?

are there any instances where a client may want both? this wont work because if cookie enabled, basic auth is ignored.

Comments

Syntapse’s picture

Syntapse commented
Issue summary: View changes
Syntapse’s picture

Syntapse commented
Issue summary: View changes
Syntapse’s picture

Syntapse commented
Title: REST basic auth is broken » REST cookie auth overrides basic auth?
Issue summary: View changes
dawehner’s picture

dawehner
Primary language German
commented
Status: Active » Postponed (maintainer needs more info)

Can you have a quick look at the generated route entry. Does it have just basic auth or also cookie in there?

clemens.tolboom’s picture

clemens.tolboom
Primary language Dutch
Location Groningen, 🇳🇱/🇪🇺
commented
Status: Postponed (maintainer needs more info) » Active

I can get a node without problems using BASIC_AUTH using

curl --user admin:admin --request GET 'http://drupal.d8/node/1?_format=json'
curl --user admin:admin --request GET 'http://drupal.d8/node/1?_format=hal_json'

but adding a Rest export display to /node both gives

curl --user admin:admin --request GET 'http://drupal.d8/node?_format=hal_json'
{"message":""}

curl --user admin:admin --request GET 'http://drupal.d8/node?_format=json'
{"message":""}

while without authentication both result in expected JSON response

curl --request GET 'http://drupal.d8/node?_format=hal_json'
curl --request GET 'http://drupal.d8/node?_format=json'

Debugging my angular app configured to use BASIC_AUTH I discovered StackMiddleware starts a session which is later on used by CSRFAccessCheck to require a token for authenticated users only.

# core/lib/Drupal/Core/StackMiddleware/Session.php:55
  public function handle(Request $request, $type = self::MASTER_REQUEST, $catch = TRUE) {
    if ($type === self::MASTER_REQUEST && PHP_SAPI !== 'cli') {
      $session = $this->container->get($this->sessionServiceName);
      $session->start();
      $request->setSession($session);
    }

    $result = $this->httpKernel->handle($request, $type, $catch);

# core/modules/rest/src/Access/CSRFAccessCheck.php:73
public function access(Request $request, AccountInterface $account) {
    $method = $request->getMethod();

    // This check only applies if
    // 1. this is a write operation
    // 2. the user was successfully authenticated and
    // 3. the request comes with a session cookie.
    if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE'))
      && $account->isAuthenticated()
      && $this->sessionConfiguration->hasSession($request)
    ) {
      $csrf_token = $request->headers->get('X-CSRF-Token');
      if (!\Drupal::csrfToken()->validate($csrf_token, 'rest')) {
        return AccessResult::forbidden()->setCacheMaxAge(0);
dawehner’s picture

dawehner
Primary language German
commented
Component: base system » routing system
Issue tags: +Needs testing

This issue is certainly not suitable for base system

clemens.tolboom’s picture

clemens.tolboom
Primary language Dutch
Location Groningen, 🇳🇱/🇪🇺
commented
Issue summary: View changes
dawehner’s picture

dawehner
Primary language German
commented

I'm curious whether #2228141: Add authentication support to REST views would sort of fix the issue?

clemens.tolboom’s picture

clemens.tolboom
Primary language Dutch
Location Groningen, 🇳🇱/🇪🇺
commented
Status: Active » Closed (duplicate)

I've tested #2228141: Add authentication support to REST views again and it's patch solve requests like

curl --request GET http://admin:admin@drupal.d8/node?_format=hal_json

So this is a duplicated of mentioned issue.